Some Popular Holiday Toys Have Serious (and Creepy) Security Flaws

A consumer research group found that four toys slated for the holiday shopping season are vulnerable to hackers.

That adorable teddy bear you see at the toy store this holiday season may be hiding a dark side.

Some internet-connected toys that allow kids to send and receive messages have weak security protocols hackers could exploit, a consumer safety group found. The vulnerabilities could allow strangers to chat with the kids playing with the toys.

Which?, a U.K.-based consumer products safety testing firm, found security holes in four out of seven Wi-Fi- and Bluetooth-enabled toys it tested--CloudPets, the i-Que Intelligent Robot, the Furby Connect, and Toy-Fi Teddy. Which? is urging retailers like Amazon and Toys "R" Us to stop selling the hackable toys​, The Guardian reports.

The vulnerability lies in the toys' Bluetooth connection, which does not require a password. That means anyone within approximately 98 feet of the toy can send messages. For example, Which? found that hackers could send voice messages to children playing with CloudPets, plush animal toys that are equipped with a Bluetooth speaker.

Similarly, any person within 30 feet of the i-Que Intelligent Robot can type a message into the associated mobile app and make the toy say it. The Furby Connect and Toy-Fi Teddy also are susceptible to these kinds of attacks, Which? found.

Hasbro, which makes the Furby Connect, told The Guardian that it takes security seriously and that the product complies with all laws.

"We feel confident in the way we have designed both the toy and the app to deliver a secure play experience," the company said.